- As we continue to closely monitor the unfolding conflict between Russia and Ukraine, we're publishing this advisory to support global organizations.
- The world fears further conflict, and there is the potential for retaliatory action by Russian threat actors, leading to both targeted attacks and collateral damage. The goal of this advisory is to provide context and background that can be used to brief executive leadership, as well as action items to help enhance resilience in the event of ensuing attacks.
- There are understandable concerns in the cyber security industry as a result of a collective memory of the 2017 NotPetya attacks. These were targeted at Ukraine, but nevertheless crippled numerous global organizations and caused billions in losses. Many stakeholders will be mindful of the extent of the collateral damage from a new swathe of potential supply chain attacks.
- There are also many businesses who have close ties with Ukraine, either with employees working in-region, or customers, supply chain vendors and wider networks being heavily impacted by the conflict. These organizations may be directly affected by the current escalation in cyber activity.
- Additionally, organizations such as financial institutions and critical infrastructure are rightly concerned that sanctions from the US and the EU may cause backlash and retaliation from Russia in the form of cyber warfare.
- Although the situation could escalate at any time, and we should all be prepared for that reality, the current level of cyber activity leveraged against assets in Ukraine, while effective, is far less sophisticated than the NotPetya attacks in 2017. Russian threat actors have used known vulnerabilities and techniques that cyber-criminal organizations have already been using for some time.
- We should remain calm, but vigilant. This is the time to redouble our efforts and engage in proactive tasks such as threat hunting and ensuring incident readiness. Ensure that your organization is ready to respond to potential disruptive attacks by following the guidelines below.
Understanding the current cyber landscape in Ukraine
As cyber warfare escalates in Ukraine, organizations are increasingly concerned by the headlines. First, there was the discovery of WhisperGate in mid-January 2022, and more recently, on February 22nd, a large-scale Distributed Denial-of-Service (DDoS) attack took down several websites belonging to government and financial institutions.
However, what we’ve seen so far in the field in terms of Russian cyber activity is a far cry from the attacks of 2017. These attacks are not overly sophisticated, leveraging known TTPs against organizations who are susceptible to commonly observed attacks.
In addition, it seems that the recent attacks are more surgical in nature – there’s no evidence of cross-organization worm-like behavior or massive supply chain attacks as we’ve seen with NotPetya. Instead, it would appear that the goal of these attacks is to spread chaos and fear. So far, the majority of cyber attacks are being used as a component in a Russian information warfare effort to sow distrust, while bringing down critical infrastructure is left to physical weapons.
Despite this, we shouldn’t underestimate the capabilities of the Russians’ cyber warfare apparatus. Russia uses tools of different levels of sophistication for different use cases, and keeps unknown capabilities to be used strategically in reserve. While some of its tools are for espionage, others will be used to spread misinformation, or to destroy or manipulate data. We’ve seen that Russia cyber criminals are able to infiltrate networks and remain hidden for months or even years, and that they are highly skilled at launching supply-chain attacks, as demonstrated with SolarWinds last year.
While currently the Russians are using commonly observed TTPs, and the recent attacks have not been configured to spread autonomously or impact global operations, we can assume that the Russians are planning ahead. They are taking into account the reaction of the West in the form of sanctions, and have plans for their own retaliation and response.
This is a call to action for any cyber security stakeholder. It stands to reason that financial services are clear targets, as well as those working in critical infrastructure like water, oil and gas, but we should also expect a rise in the number of opportunistic attackers. These threat actors will use the emergence of Nation State incidents to launch their own attacks in a less targeted fashion. Many organizations may also have employees, networks, supply chain vendors or customers in Ukraine itself, and be immediately impacted by cybercrime in the region. In a time of conflict, everyone needs to be more vigilant.
what can you do?
Russian cyber attacks often leverage commonly observed hacking tools and mechanisms for infiltration, detection avoidance, privilege escalation and lateral movement, so protecting against the basics will cover a lot of the threat. However, some organizations are still vulnerable to a basic level of risk. Now is the time to demonstrate an additional level of readiness, response and resilience, and specifically to:
- Perform table-top exercises: These should focus on destructive attacks and bring relevant IT and security stakeholders together to simulate a disruptive cyber attack, therefore identifying weak spots in your recovery and remediation procedures and playbooks.
- Revisit your backup infrastructure: Review your backup processes to ensure they are resilient to attacks and manipulation. Make sure access to backup infrastructure and management interfaces is appropriately restricted and monitored.
- Execute recovery exercises: These should be adapted to ransomware/wiper attacks – pay close attention to foundational infrastructure (e.g., AD, DNS). Many business-critical applications rely on this infrastructure, but they are not necessarily included in business continuity plans as standard operating procedures.
- Identify potential weak spots in your supply chain: Pay particular attention to those that are connected to Ukraine and neighboring countries. In some cases, you may want to consider adapting permissions and tightening access control policies for vendors that are connecting to your environment from these regions.
if you can, hunt!
The Russians (and at least one Ransomware threat actor group) have threatened to launch retaliatory strikes against the US and its allies, leveraging existing access to organizations’ networks. If you have the capabilities, we recommend conducting threat hunting exercises to identify potential backdoors before they are leveraged. Focus on externally facing assets that are susceptible to attack, as well as known tactics and techniques used by these threat actors.
To ensure these threat hunting exercises are effective, ascertain that you’ve optimized visibility pertaining to critical assets and crown jewels.
In addition, we highly recommend following CISA’s “Shields Up” advisory.
Our final message? Stay vigilant but calm. While at the moment we aren’t seeing any signs of significant cyber warfare with impact beyond Ukraine and Russia, in this kind of volatile situation events can escalate quickly. As a result, the best way to be prepared is to go back over the basics and ensure you’ve followed best practices.
If you are currently impacted or concerned by the situation in Russia and Ukraine, or are seeking guidance, please contact us at firstname.lastname@example.org or our 24/7 hotline +1-877-686-8680
This advisory and any information or recommendation contained herein has been prepared for general informational purposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to any entity. While we have made attempts to ensure the information contained herein has been obtained from reliable sources and to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly. Sygnia is not responsible for any errors or omissions, or for the results obtained from the use of this Advisory. This Advisory is provided on an as-is basis, and without warranties of any kind.